the dark side of operational wi fi calling services
play

The Dark Side of Operational Wi-Fi Calling Services Tian Xie 1 , - PowerPoint PPT Presentation

Nov 17, 2022 •292 likes •621 views

The Dark Side of Operational Wi-Fi Calling Services Tian Xie 1 , Guan-Hua Tu 1 , Chi-Yu Li 2 , Chunyi Peng, Mi Zhang 1 1 Michigan State University 2 National Chiao Tung University 3 Purdue University Wi-Fi Calling Services Wi-Fi Calling

  1. The Dark Side of Operational Wi-Fi Calling Services Tian Xie 1 , Guan-Hua Tu 1 , Chi-Yu Li 2 , Chunyi Peng, Mi Zhang 1 1 Michigan State University 2 National Chiao Tung University 3 Purdue University

  2. Wi-Fi Calling Services • Wi-Fi Calling services empower mobile users to access voice and text services over Wi-Fi instead of cellular networks. • All of four U.S. major operators have launched Wi-Fi calling services since 2016 – Verizon, AT&T, T-Mobile, and Sprint. • By 2020, Wi-Fi calling services will take 53% of mobile IP voice service usage including VoLTE (26%) and others (21%).

  3. Wi-Fi Calling Services Primer • Specifically, they are SIP-based voice and text services, however, they are using a 3GPP-modified version. • Developed on top of 3GPP IMS (IP Multimedia Subsystem) • Operators use IMS to provide users with IP-based services such as VoIP • It uses the same infrastructure for VoLTE (Voice over LTE) users. • Radio Access Network (RAN) • Wi-Fi Access Point (Wi-Fi Calling) • eNodeB (VoLTE) • LTE Core Network (CN) • ePDG (Evolved Packet Data Gateway, Wi-Fi calling) • PDN-GW (Public Data Network Gateway) • AAA (Authentication, Authorization, and Accounting) • IMS (IP Multimedia Subsystem)

  4. Wi-Fi Calling Security Mechanisms • Using well-examined 3GPP Authentication and Key Agreement (AKA) and SIM-based security adopted by VoLTE – symmetric cryptography. • All Wi-Fi calling signaling and voice/text packets are delivered through IPsec (Internet Protocol Security) – ciphering and integrity protection. How Does It Go Wrong?

  5. Finding 1: Wi-Fi calling devices ces will activate Wi-Fi calling services over an insecu ecure Wi-Fi network

  6. Vulnerability: Wi-Fi calling devices do not exclude insecure Wi-Fi networks – (design defect of standards) • Vulnerability – Wi-Fi calling standards don’t exclude insecure Wi-Fi • Two Wi-Fi access point selection modes do not consider security factors yet!! • Manual (use a prioritized list) • Automated (ANDSF, Access network discovery and selection function) • Validation: • Deploy an insecure Wi-Fi network using a Wi-Fi router which is vulnerable to ARP spoofing attack – foundation of a variety of MITM attacks • I.e., victim’s WIFI packets will be intercepted and delivered to adversaries • We test whether the Wi-Fi calling devices keep connecting to the above Wi-Fi router All tested Wi-Fi calling devices connected to the insecure Wi-Fi router!!!

  7. Finding 2: Wi-Fi calling devices ces do not employ security defense against the common Wi-Fi ARP spoofing attacks

  8. Vulnerability: Wi-Fi calling devices do not defend against ARP spoofing attacks –(implementation issue of devices) • Vulnerability -Wi-Fi calling devices always accept ARP Reply message • All packets sent by Wi-Fi calling devices can be redirected to adversaries • Validation • We use EtterCap to send ARP reply message to Wi-Fi calling devices. Adversaries can capture all Wi-Fi packets sent by the victim

  9. Finding 3: Wi-Fi calling devices ces and infrastructure indeed deploy extra security mechanisms for malicious Wi-Fi attacks, however, i , it t is not ot en enough.

  10. A system-switch mechanism for Wi-Fi Calling Service DoS Attacks • With the aforementioned two findings, adversaries can launch Wi-Fi Calling service DoS attacks • Discarding all intercepted Wi-Fi signaling and voice/text packets • System-switch (Wi-Fi-> Cellular) • If an user fails to dial a Wi-Fi voice call, the mobile device will switch to use cellular- network-based voice services. • If Wi-Fi calling service operators cannot route an incoming call to users by Wi-Fi calling , the operators will switch it to use cellular-network-based one. For users, they are free of voice/text DoS attacks.

  11. Vulnerability: Service continuity is not revised accordingly – (design defect of standards) • Service continuity can seamlessly switch an ongoing Wi-Fi calling call to back to cellular-network-based voice call • However, it is only triggered while the quality of Wi-Fi radio signals is bad What if Wi-Fi radio quality is good but Wi-Fi calling service quality is poor? • We start dropping all Wi-Fi calling packets after the call conversation is started (Wi-Fi radio quality is good) The system-switch security mechanism is bypassed!! No cellular-based voice call is initiated.

  12. Finding 4: Wi Wi-Fi callin ing s ser ervic vice op operators do not take extra security mechanisms to protect the encr crypted Wi-Fi calling packets

  13. Vulnerability : The Wi-Fi calling traffic is vulnerable to side-channel attacks – (operational slip of operator) • Vulnerability -Wi-Fi calling is the only service that is carried by the IPSec channel between the mobile device and ePDG. • Adversaries may infer various Wi-Fi calling events such as dialing calls, receiving calls, etc. • Validation • Apply C4.5 to analyze IPSec traffic patterns • We are able to infer six Wi-Fi calling events • Evt I: Activating Wi-Fi calling service • Evt II: Receiving an incoming call • Evt III: Dialing an outgoing call • Evt IV: Sending a text • Evt V: Receiving a text • Evt VI: Deactivating Wi-Fi calling service

  14. Two Proof-of-concept Attacks

  15. Attack 1: User privacy leakage • The call statistics has been proven effective to infer user privacy including personality[1], mood[2], malicious behaviors[3], etc . • Devising WiCA (Wi-Fi Calling Analyzer) to infer a Wi-Fi calling user’s call statistics • Who initiates the call (an incoming call or an outgoing call) • Who hangs up the call first (caller or callee) • Ringing time (how long the callee answers the call) • Call conversation time [1] Y.-A. de Montjoye, J. Quoidbach, F. Robic, and A. S. Pentland, “Predicting personality using novel mobile phone-based metrics,” in International conference on social computing, behavioral-cultural modeling, and prediction. Springer, 2013 [2] S. Thomee, A. H ´ arenstam, and M. Hagberg, “Mobile phone use and ¨ stress, sleep disturbances, and symptoms of depression among young adults-a prospective cohort study,” BMC public health, vol. 11, no. 1, p. 66, 2011. [3] V. Balasubramaniyan, M. Ahamad, and H. Park, “Callrank: Combating SPIT using call duration, social networks and global reputation,” in CEAS’07, 2007

  16. Infer call statistics@WiCA • WiCA’s finite state machine • Record the number of Uplink and Downlink packets transmitted every 2 seconds • Classify them into three categories by packet size: • Small (<200 bytes), Medium (200-800 bytes), Large (>800 bytes) • Our observations on small packets

  17. Ringing time inference • We observe that Wi-Fi calling service servers will keep sending small packets to both of caller and callee after SIP RINGING message is sent by the callee. No uplink small packets after callee’s phone is ringed Small downlink packets can be used to detect Ringing Packets sent by the callee Packets sent by Wi-Fi calling server Packet arrivals for the event ‘receiving a call with a ringtone’ (callee perspective).

  18. Conversation time inference • We observe small packets on the uplink and downlink during the call conversation Packets sent by the callee Packets sent by Wi-Fi calling server Packet arrivals for ‘Talking’ (callee perspective).

  19. Call initiation and termination inference • Relying on the directions and patterns of large packets • E.g., if the ringing or talking event is detected and the first large packet (SIP INVITE) is sent by the monitored Wi-Fi user => It is an outgoing call • E.g., if the talking and not-talking events are detected and the last large packet (200 OK) is sent by the Wi-Fi server => the monitored Wi-Fi user terminates call first

  20. Performance of WiCA • Who initiates, Who ends call first : 100% accurate • Ringing time and conversation time • Maximum error is less than 0.8 seconds.

  21. Another application of WiCA • By face recognition, It is not difficult to identify who you are Peng Mi Xie Tu Li • How about their IP addresses if they are using free public WiFi?

  22. WiCA with visual recognition system • With the mature visual recognition system, WiCA’s call statistics can help to identify both of user identities and their IP addresses • The ways people are surfing and talking on phones are different We know which of IP addresses is to initiate Wi-Fi calling call and its call statistics.

  23. Attack 2: Telephony harassment or denial of voice service attack (THDoS) • We devise a telephony harassment or denial of voice service attack against Wi-Fi calling users. • It can bypass the security defenses deployed on Wi-Fi calling devices and the infrastructure. • The attack is based on the manipulation of the delivery of Wi-Fi calling signaling and voice packets for an ongoing call. • It contains several variants.

  24. Results of Discarding Wi-Fi Signaling and Voice packets Wi-Fi calling Call Flow

  25. Four Call Attack Variants • Attack Wi-Fi signalings • Annoying-Incoming-Call Attack • Victim is callee: • He/she keeps receiving incoming calls • By discarding 180 Ringing message or 183 Session Progress message • Zombie-Call Attack – a call cannot be ended • Victim is caller: • The callee has answered the incoming call. • However, the caller’s device gets stuck in the dialing screen and will keep hearing the alerting tone. • The conversation is never started. • By discarding 200 OK message

Recommend

Shining a Light on the Dark Side: How the Global Financial Crisis Exposed the Dark Side of

Shining a Light on the Dark Side: How the Global Financial Crisis Exposed the Dark Side of

Shining a Light on the Dark Side: How the Global Financial Crisis Exposed the Dark Side of Leadership Dr Holly Andrews Worcester Business School Global Business Conference Sibenik 2015 Overview What is the issue? Introducing psychopathy

372 views • 18 slides
THE DARK SIDE TO THE UPSIDE Our Moderator &amp; Panelists Michelle Marquis Tim Cafferty Amy

THE DARK SIDE TO THE UPSIDE Our Moderator &amp; Panelists Michelle Marquis Tim Cafferty Amy

7 Weeks to Vacation Rental Recovery Webinar Series THE DARK SIDE TO THE UPSIDE Our Moderator &amp; Panelists Michelle Marquis Tim Cafferty Amy Gaster Kevney Dugan Lexicon Travel Technologies Outer Banks Blue Realty Services Tybee Vacation

588 views • 26 slides
Sterile neutrinos: the dark side of the light fermions Sterile neutrino: a well-motivated dark

Sterile neutrinos: the dark side of the light fermions Sterile neutrino: a well-motivated dark

Whats ? Alexander Kusenko (UCLA/IPMU) Sterile neutrinos: the dark side of the light fermions Sterile neutrino: a well-motivated dark matter candidate observed neutrino masses imply the existence of right-handed singlets, which can

1k views • 31 slides
The Dark Side of Ajax Jacob West Fortify Software Mashup Pink Floyd AJAX all purpose cleaner

The Dark Side of Ajax Jacob West Fortify Software Mashup Pink Floyd AJAX all purpose cleaner

The Dark Side of Ajax Jacob West Fortify Software Mashup Pink Floyd AJAX all purpose cleaner Dark Side of the Moon Ajax Fancier and easier-to-use web applications using: A synchronous Web 1.0 J avaScript Server Web page A nd

993 views • 52 slides
Taking care of you and your business all the way CMA CGM Services calling Egypt July 2019 CMA CGM

Taking care of you and your business all the way CMA CGM Services calling Egypt July 2019 CMA CGM

Taking care of you and your business all the way CMA CGM Services calling Egypt July 2019 CMA CGM Egypt CMA CGM provide Egypt with 15 Services , calling the Egyptians ports on a regular weekly time frame . 6 calls in 3 calls in 4 calls in

513 views • 18 slides
Living in a Parallel World: mirror dark matter, dark gravity, etc. Zurab Berezhiani Universit

Living in a Parallel World: mirror dark matter, dark gravity, etc. Zurab Berezhiani Universit

Living in a Parallel World: mirror dark matter, dark gravity, etc. Zurab Berezhiani Universit di L Aquila and LNGS Gran Sasso, Italy Dark Matter Connection .... , GGI, Florence, 16-20 May 2010 Dark Side as parallel sector, etc ... - p.

797 views • 45 slides
The Universe, and its Dark Side 95% Email: ph116@u.washington.edu Dec 9, 2011 Session 42

The Universe, and its Dark Side 95% Email: ph116@u.washington.edu Dec 9, 2011 Session 42

The Universe, and its Dark Side 95% Email: ph116@u.washington.edu Dec 9, 2011 Session 42 Review Announcements Final exam: Monday 12/12, 2:30-4:20 pm Same length/format as previous exams (but you can have 2 hrs) Kyle Armour is

516 views • 22 slides
The Dark Side of Expanding Assessment Literacy: The Perils Imposed by Accountability Thomas R.

The Dark Side of Expanding Assessment Literacy: The Perils Imposed by Accountability Thomas R.

The Dark Side of Expanding Assessment Literacy: The Perils Imposed by Accountability Thomas R. Guskey University of Kentucky A symposium presentation at the National Conference on Student Assessment, sponsored by the Council of Chief State

450 views • 8 slides
The not so Dark Side of the Darknet Dr. Victoria Wang (BSc; PhD) Senior Lecturer on Security and

The not so Dark Side of the Darknet Dr. Victoria Wang (BSc; PhD) Senior Lecturer on Security and

Cambridge Cybercrime Centre: Fourth Annual Cybercrime Conference The not so Dark Side of the Darknet Dr. Victoria Wang (BSc; PhD) Senior Lecturer on Security and Cybercrime Institute for Criminal Justice Studies (ICJS) University of Portsmouth

780 views • 24 slides
Dennis Schut UIC Research Manager Track Side On Board Operational Communication In Europe,

Dennis Schut UIC Research Manager Track Side On Board Operational Communication In Europe,

Track Side On Board Mobile Communications Dennis Schut UIC Research Manager Track Side On Board Operational Communication In Europe, the radio system supporting track side-on - board communications is GSM-R, solution enforced by the

291 views • 14 slides
Energy Efficiency &amp; ESCO Services SUJAY KUMAR SAHA Head of Group Demand Side Management

Energy Efficiency &amp; ESCO Services SUJAY KUMAR SAHA Head of Group Demand Side Management

1 Energy Efficiency &amp; ESCO Services SUJAY KUMAR SAHA Head of Group Demand Side Management 2 About Tata Power-DDL Parameter Unit July 02 March17 % change OPERATIONAL PERFORMANCE AT&amp;C Losses % 53.1 8.59 85% System

918 views • 24 slides
cardiac surgery: a walk on the Dark Side? Prof Rik De Decker Red Cross Childrens Hospital CME

cardiac surgery: a walk on the Dark Side? Prof Rik De Decker Red Cross Childrens Hospital CME

The complications of cardiac surgery: a walk on the Dark Side? Prof Rik De Decker Red Cross Childrens Hospital CME Nov/Dec 2011 http://www.cmej.org.za Why should you care? You are about to leave your office after a hectic Friday, and are

506 views • 36 slides
Jorge Jimnez Variant calling jjimeneza@cipf.es Index 1. Variant calling pipeline 2.

Jorge Jimnez Variant calling jjimeneza@cipf.es Index 1. Variant calling pipeline 2.

Jorge Jimnez Variant calling jjimeneza@cipf.es Index 1. Variant calling pipeline 2. Alignment processing 3. SNP calling 4. Short indel calling 5. VCF format 6. Structural Variation Jorge Jimnez Variant calling jjimeneza@cipf.es

1.12k views • 40 slides
The Life of Breached Data &amp; The Dark Side of Security. Jarrod Overson @jsoverson QCon SF

The Life of Breached Data &amp; The Dark Side of Security. Jarrod Overson @jsoverson QCon SF

The Life of Breached Data &amp; The Dark Side of Security. Jarrod Overson @jsoverson QCon SF 2016 It's more than just massive breaches from large companies, too. It's small continuous, streams of exploitable data 2.2 Billion Leaked

1.07k views • 82 slides
How the Bright and Dark Side of Self-Determination Theory Relate to Students Life Skills

How the Bright and Dark Side of Self-Determination Theory Relate to Students Life Skills

How the Bright and Dark Side of Self-Determination Theory Relate to Students Life Skills Development Within Physical Education LO RC A N C RO N IN 1 , D A V ID M A RC HA N T 1 , JUSTIN E A LLEN 2 , C LA IRE M ULV EN N A 3 , D A V ID C

294 views • 18 slides
Dark matter Evidence and Candidates Dark matter Evidence and Candidates h Christoph

Dark matter Evidence and Candidates Dark matter Evidence and Candidates h Christoph

Dark matter Evidence and Candidates Dark matter Evidence and Candidates h Christoph Weniger Christoph Weniger ISAPP School 2019 The dark side of the universe 29 May 2019, Heidelberg, Germany University of Amsterdam (UvA)

801 views • 76 slides
The Dark Side of Timed Opacity Franck Cassez http://www.irccyn.fr/franck National ICT Australia

The Dark Side of Timed Opacity Franck Cassez http://www.irccyn.fr/franck National ICT Australia

The Dark Side of Timed Opacity Franck Cassez http://www.irccyn.fr/franck National ICT Australia &amp; CNRS Work supported by a Marie Curie International Outgoing Fellowship 7th European Community Framework Programme ISA 2009, Seoul, Korea

615 views • 61 slides
The Bright Side of Black Holes : dark matter, primordial black holes and the cosmic infrared

The Bright Side of Black Holes : dark matter, primordial black holes and the cosmic infrared

The Bright Side of Black Holes : dark matter, primordial black holes and the cosmic infrared background A. Kashlinsky (GSFC/SSAI and Euclid) In collaboration with R. Arendt, M. Ashby, F. Atrio-Barandela, N. Cappelluti, G. Fazio, A.

613 views • 25 slides
BEWARE THE DARK SIDE OF METRICS! Agile Arizona 2019 Barbara Anderson Unrestricted Content

BEWARE THE DARK SIDE OF METRICS! Agile Arizona 2019 Barbara Anderson Unrestricted Content

BEWARE THE DARK SIDE OF METRICS! Agile Arizona 2019 Barbara Anderson Unrestricted Content 11/27/19 1 This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations

509 views • 21 slides
REBOA: The Dark Side COL Matthew J. Martin, MD Madigan Army Medical Center Taking the Winning

REBOA: The Dark Side COL Matthew J. Martin, MD Madigan Army Medical Center Taking the Winning

2016 Austin Trauma Critical Care Conference REBOA: The Dark Side COL Matthew J. Martin, MD Madigan Army Medical Center Taking the Winning Position R esuscitative E ndovascular B alloon O cclusion of the A orta REBOA is a GREAT idea

258 views • 25 slides
The Dark Side of Valuation Aswath Damodaran http://www.stern.nyu.edu/~adamodar Aswath Damodaran

The Dark Side of Valuation Aswath Damodaran http://www.stern.nyu.edu/~adamodar Aswath Damodaran

The Dark Side of Valuation Aswath Damodaran http://www.stern.nyu.edu/~adamodar Aswath Damodaran 1 The Lemming Effect... Aswath Damodaran 2 To make our estimates, we draw our information from.. I The firms current financial statement

608 views • 31 slides
Next Generation Ministry Identifying factors that cultivate calling and confirm calling among

Next Generation Ministry Identifying factors that cultivate calling and confirm calling among

Next Generation Ministry Identifying factors that cultivate calling and confirm calling among millennial leaders 1 Table introductions Spend 15 minutes around tables sharing: Your name &amp; where you serve Stories of coming to

388 views • 35 slides
Agenda Why is buy side worried? Explosion of regulation Increased regulatory action

Agenda Why is buy side worried? Explosion of regulation Increased regulatory action

Agenda Why is buy side worried? Explosion of regulation Increased regulatory action Regulation of sell side Dark pools Derivatives Clearing house proposals 1 Regulatory E Expl xplosion an and d Why Bu Buy Side

840 views • 31 slides
Dark Matter from the Vector of SO(10) in collaboration with S. M. Boucenna, and E. Nardi Phys.

Dark Matter from the Vector of SO(10) in collaboration with S. M. Boucenna, and E. Nardi Phys.

Dark Matter from the Vector of SO(10) in collaboration with S. M. Boucenna, and E. Nardi Phys. Lett. B755 (2016) 168, arXiv:1511.02524 Martin B. Krauss Dark Side of the Universe Bergen, Norway July 28, 2016 12 th International Workshop

589 views • 12 slides

More recommend